Paul,
>
> In particular, a keyed hash will never be able to support
> non-repudiation.
>
Not quite true. It has been already demonstrated that some symmetric
authentication schemes can provide the necessary foundation to
non-repudiation - for example H(S,K,M) in secure hardware with S being a
unique signer's identifier sealed in the token, K a shared secret also
sealed in the token, and M a representation of the document could be
satisfactory. More sophisticated schemes can be built with key-exchange
algorithms (i.e. Diffie-Hellman).
> The trust considerations for a shared key mechanism are not the
> same as public key signed mechanisms.
Correct though usage of a public key signature scheme does not imply trust
per se. Adopting a public key signature scheme only allows signature
verifiability without having to disclose the signing secret. Trust is bound
to the production by a truted third-party of a credential that binds the
signature verification key with a set of attributes. Trust is only
propagated by the credential and not intrinsic to the use of public keys.
For WPR exchanges, symmetric key is often sufficient - non-repudiation is
not always necessary or can be achieved without making use of a "mechanic
with strong mathematical foundations." Many times in the past, courts have
ruled in favor of well-defined and well-documented business processes though
not founded upon mathematical concepts. In fact, a symmetric authentication
scheme with an adequate audit-trail and well-defined processes may stand
stronger than a public-key signature scheme with inadequate protection of
the private-key or an obvious lack of scrutany when establishing
credentials.
Sincerely,
Richard D. Brown